ADCS Enrollment Policy Web Service

This guide covers the deployment of the Active Directory Certificate Services (AD CS) Enrollment Policy Web Service (CEP) role on Server Core. The Certificate Enrollment Policy Web Service allows clients to retrieve Certificate Enrollment Policies from an Enterprise Certificate Authority when access to a Domain Controller is not possible, such as external or DMZ housed computers, or clients without permissions. Users and computers can retrieve enrollment policies from a CEP server over HTTPS/443.

The Certificate Enrollment Policy Web Service binds to Active Directory Domain Controllers over standard LDAP ports. A single CEP server can provide policy services for multiple Enterprise Certificate Authorities. A CEP server is required for clients to utilize a Certificate Enrollment Web Services server.

Requirements

  • Administrator privileges on the CEP server.
  • A deployed and functional Enterprise PKI.

Summary Steps

  • Enroll a Computer Certificate for the CEP server IIS binding.
  • Install the Certificate Authority feature with the Policy Web Enrollment Service role.
  • Determine the URI for client access to the CEP service.
  • Configure Group Policy to direct clients to the new CEP server.

Enroll a Computer Certificate for the CEP server IIS binding

The Certificate Enrollment Policy Web Service must operate over HTTPS/443 and requires a certificate to be installed for the IIS binding. For non-core server installations, you can enroll a certificate using the certlm.msc MMC snap-in. For server core installations, you can enroll a certificate by command line from an available Enterprise Certificate Authority, if available in your environment.

certreq.exe -enroll -machine -q <templatename>

Enroll a Certificate by Command Line

Install the Certificate Authority feature with the Policy Web Enrollment Service role

Install the Certificate Authority Role with Add/Remove Features or with PowerShell.
Ensure to select the Certificate Enrollment Policy Web Service under Role Services. This guide assumes the use of the Add/Remove Features wizard remotely using Server Manager.

Install the CEP Role

For Server Core installations, it may be helpful to select the Management Service under IIS Role Services. This installs the Web Management Service (WMSvc) for remote management capability with the IIS Manager for Remote Administration.

Install the IIS Management Service Role

Complete the Role Configuration steps.

Provide Installation Credentials

Select the CEP Service

Select the authentication type for this CEP server.
This guide uses Windows Integrated Authentication (Kerberos) for client requests, which requires that clients be domain joined. Additional authentication types are available if your situation does not allow for domain joined clients, but is not covered in this guide.

Select the authentication type

Select the certificate that IIS should bind to for HTTPS connections.

Select the IIS Binding certificate

Confirm and complete the role configuration.

Confirm the role configuration

Complete the role configuration

Determine the URI for client access to the CEP service

Connect to the IIS Management Service using the Remote Manager.

Expand the Default Web Site and select the ADPolicyProvider_CEP_* application. This guide assumes that we selected Windows Integrated Authentication as the authentication type, so the application should be named ADPolicyProvider_CEP_Kerberos.
Select Application Settings.

Select Application Settings in the IIS Manager

Supply a Friendly Name. Make note of this name in the future.
Record the URI displayed. This is the location clients use to reach the CEP server. You will need this value to configure Group Policy.

Set a Friendly Name and record the URI

Configure Group Policy to direct clients to the new CEP server

Use the Group Policy Management Console (GPMC) to edit or create a Group Policy Object that will direct clients to use the new CEP server.

Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
Select Certificate Services Client – Certificate Enrollment Policy

Configure Group Policy

Enable the policy.
The policy will contain the default LDAP configuration to direct clients to a Domain Controller. Remove the existing policy.

Enable and empty the policy

Select Add to add a new policy.
Enter the URI you recorded from the previous step. For Authentication Type, select the authentication type you selected during installation. This guide used Windows Integrated.
Select Validate Server.

Add a CEP server to the group policy

Select Add.
Repeat this process for any additional CEP servers that are utilized for high availability.

Save and close the policy

Select OK.

Clients will need to refresh policy before using the new CEP servers for policy retrieval. The CEP servers refresh policy from Active Directory every 30 minutes by default, and clients retain a local cache for even longer; so be aware that Certificate Template changes may not be reflected immediately when polled by clients.

The CEP servers can forced to refresh their cache from Active Directory by issuing the iisreset command.

The client caches are located in the following paths and can be cleared to force a refresh

  • Computer: %ProgramData%\Microsoft\Windows\X509Enrollment
  • User:%USERPROFILE%\AppData\Local\Microsoft\Windows\X509Enrollment

References